Enforce _X509_CHECK_FLAG_DOT_SUBDOMAINS internal-only

[openssl.git] / crypto / x509v3 / v3_utl.c

diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index 004a1339ea5d392507bf7a0e4674f8459dbf3af8..6e91ac9816eebdb8881994f2a6b2254c451c3400 100644 (file)
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -584,13 +584,9 @@ static void skip_prefix(const unsigned char **p, size_t *plen,
         * If subject starts with a leading '.' followed by more octets, and
         * pattern is longer, compare just an equal-length suffix with the
         * full subject (starting at the '.'), provided the prefix contains
-        * no NULs.  (We check again that subject starts with '.' and
-        * contains at least one subsequent character, just in case the
-        * internal _X509_CHECK_FLAG_DOT_SUBDOMAINS flag was erroneously
-        * set by the user).
+        * no NULs.
         */
-       if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0 ||
-           subject_len <= 1 || subject[0] != '.')
+       if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
                return;
 
        while (pattern_len > subject_len && *pattern)
@@ -895,6 +891,9 @@ static int do_x509_check(X509 *x, const unsigned char *chk, size_t chklen,
        int alt_type;
        int san_present = 0;
        equal_fn equal;
+
+       /* See below, this flag is internal-only */
+       flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
        if (check_type == GEN_EMAIL)
                {
                cnid = NID_pkcs9_emailAddress;